Tag Archives: Audit

Hospital System Fined $5.5 Million For Not Controlling Access

Memorial Healthcare Systems in Florida was fined $5.5 million for allowing the information of about 115,000 patients to be accessed “impermissibly”.

Memorial, which operates 6 hospitals, an urgent care center, a nursing home and other healthcare facilities in South Florida, reported the breach in 2012 – 5 years ago – after it discovered the problem.  Exactly why it should take Health and Human Services 5 years to complete an investigation is a mystery to me.

The information taken includes names, birth dates and social security numbers.

Apparently, two employees who worked in an affiliated physicians’ office accessed the hospital’s systems for a year, stole patient records of over 100,000 patients and used that data to file fraudulent tax returns.

After discovering  that employees had been stealing data for a year, Memorial worked with federal law enforcement which ultimately led to the conviction of the people who filed the false tax returns using that stolen data.

Apparently, even though Memorial had been told for the six years prior to discovering the breach that reviewing employee data access records was a risk, they still did not review those records.

As part of the settlement, Memorial denied any guilt.  It seems to me that, if they had been told for six years that something was a risk and chose not to deal with it, they have some degree of guilt.  Not admitting guilt is fairly typical in these deals so as to avoid giving plaintiffs who might be suing them any additional leverage.

It appears that the credentials used to access these records were legitimate, but it is unclear to me how the physician’s office staff got access to them.

This brings up the bigger issue of logging and auditing – something that affects all businesses;  they were not using credentials assigned to them when they stole the data.

We are seeing more regulators requiring businesses to maintain more comprehensive audit logs and processes.  Besides the HIPAA regulators, DoD and some state regulators have issued new rules or opinions.

But in addition to creating audit logs, you also need to review them and generate alerts based on that review.  For a business like Memorial, that likely requires reviewing millions or even tens of millions of audit records.  That requires both software and people and those require money.  That is likely at the root of the issue.  After they discovered the breach, they did implement a review process, but apparently, that decision not to review data access records cost them a $5.5 million fine as well has having to implement a multi year corrective action plan with the HIPAA regulator.

This represents a great opportunity for businesses in general to review their auditing processes – what audit data are we collecting, does that audit data meet the regulatory requirements, how long do we store it for and how do we analyze it – to verify that it is appropriate for both compliance reasons and business requirements.

Information for this post came from the Sun Sentinel and Health and Human Services.

Anthem Refused Audit Required As Part Of Contract

The Register is reporting that Anthem refused to allow U.S. government auditors to audit their systems as required as part of a contract that Anthem has with the U.S. government.  This news is coming out after Anthem was hacked of some 88 million customer records.

The Office Of Personnel Management Inspector General audits insurers who provide insurance to government employees under the Federal Employees Health Benefits Program.

OPM has a particular audit protocol that is somewhat intrusive but not out of the ordinary and Anthem told them no, they could not do that.

I have been a vendor to several of the world’s largest banks and they used to audit my firms on a regular basis.  If we told them to go away, they would have told us to go away as well.

It is not at all clear why OPM allowed Anthem to continue to do business with the government under these circumstances.  It is the difference between private industry and government.

OPM wrote a report on Wellpoint (now Anthem) that said, in part:

Wellpoint has not implemented technical controls to prevent rogue devices from connecting to its network. Also, several specific servers containing Federal data are not subject to routine vulnerability scanning, and we could not obtain evidence indicating that these servers have ever been subject to a vulnerability scan.
In addition, WellPoint limited our ability to perform adequate testing in this area of the audit. As a result of this scope limitation and WellPoint’s inability to provide additional supporting documentation, we are unable to independently attest that WellPoint’s computer servers maintain a secure configuration.

Given this report, it is totally unimaginable that, in private industry,  they would have been allowed to continue as a supplier.

After the breach, OPM again tried to audit Anthem and they again said no.

And, they continue to collect checks from the government.

This should be interesting fodder for the lawsuit machine.